Impact

An unauthenticated remote attacker may execute arbitrary commands on the device (CVE-2016-7806)

An unauthenticated remote attacker may access SD card or other memory devices inserted into the product (CVE-2016-7807)

Solution

Update the Firmware
On 15 November, 2016, the firmware update which contains a fix for this vulnerability was released.
Update to the latest version of the firmware according to the information provided by the developer.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

I-O DATA DEVICE, INC. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and I-O DATA DEVICE, INC. coordinated under the Information Security Early Warning Partnership.